400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
Size

1.2MB
MD5

7af7da2870b9acfbcd9f440466097ae2
SHA1

892f6f095b611003f842eda8c57ee8bdf50bcb72
SHA256

400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3
SHA512

72d05d4683299fda6d801660d07d77300b15370d556b14f794abadb5744e627163242c4efda567388a0ba2429abff834652fcdca3233eb143aca1919b530628a
SSDEEP

24576:3qDEvCTbMWu7rQYlBQcBiT6rprG8aLw2Sbly7TWEPje:3TvC/MTQYxsWR7aLw2dW

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3268	firefox.exe
Token: SeDebugPrivilege	3268	firefox.exe
Token: SeDebugPrivilege	3268	firefox.exe
Token: SeDebugPrivilege	3268	firefox.exe
Token: SeDebugPrivilege	3268	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
3268	firefox.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3268	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 2668	4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe	92
PID 4500 wrote to memory of 2668	4500	400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe	92
PID 2668 wrote to memory of 3268	2668	firefox.exe	94
PID 2668 wrote to memory of 3268	2668	firefox.exe	94
PID 2668 wrote to memory of 3268	2668	firefox.exe	94
PID 2668 wrote to memory of 3268	2668	firefox.exe	94
PID 2668 wrote to memory of 3268	2668	firefox.exe	94
PID 2668 wrote to memory of 3268	2668	firefox.exe	94
PID 2668 wrote to memory of 3268	2668	firefox.exe	94
PID 2668 wrote to memory of 3268	2668	firefox.exe	94
PID 2668 wrote to memory of 3268	2668	firefox.exe	94
PID 2668 wrote to memory of 3268	2668	firefox.exe	94
PID 2668 wrote to memory of 3268	2668	firefox.exe	94
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 2792	3268	firefox.exe	95
PID 3268 wrote to memory of 432	3268	firefox.exe	96
PID 3268 wrote to memory of 432	3268	firefox.exe	96
PID 3268 wrote to memory of 432	3268	firefox.exe	96
PID 3268 wrote to memory of 432	3268	firefox.exe	96
PID 3268 wrote to memory of 432	3268	firefox.exe	96
PID 3268 wrote to memory of 432	3268	firefox.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe
"C:\Users\Admin\AppData\Local\Temp\400b769a1c6961377e7935e4f9192af7f0c62d57166e11a031bc13f03a8234a3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3268
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {005c3c55-6afe-4ab7-a382-ef6c357e4c1c} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" gpu
      4⤵
      PID:2792
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2416 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6129a14f-66f1-4f03-82fa-174fe0092dca} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" socket
      4⤵
      PID:432
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1456 -childID 1 -isForBrowser -prefsHandle 2748 -prefMapHandle 2672 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ddb1ae2-3857-43f0-aa9a-8599283b7940} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" tab
      4⤵
      PID:2604
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3052 -childID 2 -isForBrowser -prefsHandle 3620 -prefMapHandle 3616 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e35b618e-08ab-4bca-9054-dcc007edd645} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" tab
      4⤵
      PID:3452
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4600 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4592 -prefMapHandle 4596 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5debae14-0557-4982-be63-69d39753c671} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" utility
      4⤵
      Checks processor information in registry
      PID:5312
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5496 -childID 3 -isForBrowser -prefsHandle 5388 -prefMapHandle 5508 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {216ade14-76db-4ac4-8691-cdc205f9305f} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" tab
      4⤵
      PID:6072
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 4 -isForBrowser -prefsHandle 5720 -prefMapHandle 5716 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7968326c-4fef-4fc9-be0e-a75d97c15042} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" tab
      4⤵
      PID:6088
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5856 -childID 5 -isForBrowser -prefsHandle 5620 -prefMapHandle 5624 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79ccd189-43ab-436b-80be-63db5cac970b} 3268 "\\.\pipe\gecko-crash-server-pipe.3268" tab
      4⤵
      PID:6116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zirruo9e.default-release\activity-stream.discovery_stream.json

Filesize
18KB

MD5
6352f7d11ab01a1b72893f10e2af28e1

SHA1
0eeca5ee9cde1471d0569680dd9af463295ef516

SHA256
47549f8b72a6f8487b2c02564de47f3dad3d580de4fec81e2039192ae2840671

SHA512
f5022e358355d100445881af3c8ea07860f32e4f5a100f10a02c82f9bd17aef4a2ec9440bbedfce015b69075df7779aa18cfcb3e5a80b71f627f5bf10bcced8d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zirruo9e.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
af5588be0e960c49839ab44bd92faf74

SHA1
602ff9f54718e982f08aea8241984b73494e5cba

SHA256
2ade94eb53b52db9c64bb3c8c0dc3d8f358ba69af26b09b4ad0cf758e1699c40

SHA512
a9a3e5b486c6c0d741d391056428efbb383211aa4044e09d3b650cbd79c8ecc6a585f28a7ea3af8375df95b38e55aae4ad56e40101328a05f39d56f16873c7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\AlternateServices.bin

Filesize
8KB

MD5
a4ef304f3db3ef6ebff1eec29bb7081d

SHA1
8271c00822174c3a3cb0d5c79494b06975cdada0

SHA256
ba55d4ec8f6fa17cf9a9e2c3686c8b7b653fb0153112913488aee64a194e2c9b

SHA512
3f2cb4350572108dcc597e01ebec5e5b1a2f7e189cbb294714d7a0ebdd9c6b7c0d7da999bd6c29ad25d065b59954e8f5e32c0e5938616d7782c2ed7e50347882

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
2e24097855b5593d15309e03609f3cd1

SHA1
53e7393f0c21855b0896f2a0c908d2a607815e10

SHA256
1ab91d7854c13f4900398d94efd2e1989edb3a6c88e220bce54c0f42cc70b651

SHA512
7b3fce475429fb5974d70637302eefad1e0bfa892fe001a164769ef75edcc6bf0dee61b302cf2bb5a056245624ed833e2efb4c1a70c731c2b75deb64da7d6d9e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
30KB

MD5
7b0bc59822da1a42c62b253a8985394e

SHA1
e680aa153cfc548e0238dbcc81c24d98ed9da00d

SHA256
2a065ba7ab1ec2c5358c66c8338b272007fa2527cd66664698b677da039c114f

SHA512
d549af57447b212fc924ffebd8ba8eaa3df8996424d0e0a7052a056d04c7cbcfb19c71e3a4089596fec462152ffd80ed8b2957d2768578b9486956ead6ed656c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\96f2dacf-0869-43b6-ad62-65a662ba117e

Filesize
982B

MD5
c39617293b755a2a6a4cdf891e372bab

SHA1
f6f330a3d8d2ff0c506fecfdebb8159a8cc43572

SHA256
2a08869edef878bd0473f69c7c301c0828ac510e7027647109b62d4c00404b89

SHA512
accb88b700b4b6d3e695fe16a2ae4e2a233a9a5fb4a320c9906d17ea44e583fde7de89f313e654c69facfd7c6f4d90e80229f8d2d2100e1b37d7784a0ad9f8e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\ab65aea3-8be6-4e0d-979c-cb48f45e530b

Filesize
26KB

MD5
2eb9ff98d573f93707a70847f51c4d79

SHA1
1878ff8eb778a8dfffb9b60e138e39466c223136

SHA256
6317a8e30949911e9272c33f83340ef0a2a14998083deb65f23f5faf567e2390

SHA512
39d3ea7fdce1f7032ad2f1051206e6b482b97069d9f9f04dded170a334139e45016f9b9ec3ff7a8d3f3d788a54c22ba64a2ee12a9871a67e983c0634360e898e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\d24e0687-d46c-4489-a9b6-0bb2462af11c

Filesize
671B

MD5
6244fe995280bb1ac2d0c6018430a262

SHA1
141f8cafdb76442129819c538fede74b37f72e25

SHA256
20b8b6c3bd9f1613ebded198a8e448c02bfba4f82d3268c975d83f93a5156f7b

SHA512
0195aefa9a7f8162c1b719f73e10a33d24bbb3fa2ef7d66b9d1d84d68cd20a5c36081f15544ea3d67349c2302da8ee6e0a49c9c2e73d8ab3499422c19dbabec9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\prefs-1.js

Filesize
12KB

MD5
ad30d29ec2ca95f3ed2e070a9a7d83dc

SHA1
f9eb7b74c1495b3026bfcb346a192a4f94798453

SHA256
78cc59f021b0ff0337ae16fb4494e5a5ebae366a6a3f7405208588720472fccb

SHA512
90b572825f5ddfbf7819fce2900805237e6511018c4fabe1f08d97ec850048f9e29f8d2d6b2e9e5a85d42d45470374730669e71685d5a0645b649733de00b1ac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\prefs.js

Filesize
8KB

MD5
13c8b811b5d105e6f346cb3d043fd508

SHA1
cb006e8312bd77d05628e4eac7032641cfc0227f

SHA256
3312c7941293f9996daed02b15ccb4cbd3a8477b2c9612c95932fc2e18cbd316

SHA512
59e01132b9981b8c4266903ad22294de20e4555d2fda0a6af7a86babd106310dc6287ce250b24a48e0d35ec25bf2360bd9f6d052c3a403d7e71b062b5f20f1e1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads